When a Password Replication Policy is enabled and a user or computer account is in the allowed RODC password replication group, a password is replicated and cached on Read-Only Domain Controller when a branch user login for the first time. The RODC authenticates the branch users and computers for subsequent logins without forwarding requests to the main (writeable) DC. However, with a built-in feature, you can prepopulate and cache users and accounts on the RODC before they attempt to log in.

Before you prepopulate passwords, it is mandatory that those user and computer accounts are in the list of allowed RODC password replication group. In this guide, we will look into the feature of prepopulating passwords on Read-Only domain controller Windows Server 2016 by using server manager and PowerShell.

Prepopulating Passwords On Read-Only Domain Controller Windows Server 2016 Using Server Manager

Step 1. Open server manager dashboard. Click Tools -> Active Directory Users and Computers.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 2. Click Domain Controllers. On the right pane, right-click Read-Only Domain Controller computer account and then click Properties.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 3. Go to Password Replication Policy tab and double-click Allowed RODC Password Replication Group.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 4. Click Add.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 5. Enter the user or computer account you wish to add to Allowed RODC Password Replication Group. Click OK.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 6. Click Apply and then OK.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 7. Click Advanced.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 8. Click Prepopulate Passwords.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 9. Enter the user or computer account you wish to populate their password and click OK.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 10. Click Yes in the confirmation window.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 11. Wait for the wizard to finish.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Step 12. Click OK.

, How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

Configuring Credential Caching On Read-Only Domain Controller Windows Server 2016 Using PowerShell

Step 1. Open PowerShell with elevated privileges.

Step 2. Execute the following command to add user and computer accounts in Allowed RODC Password Replication Group.

Add-ADGroupMember "Allowed RODC Password Replication Group" meazhar

Step 3. Execute the following script to pre-populate passwords of all users in Students OU.

$users = Get-ADUser -SearchBase "OU=Students,dc=yourdomain,dc=com" -Filter * 

foreach ($user in $users) {

$id = get-adobject -identity $user

Sync-ADObject -object $id.DistinguishedName  -Source SERVER2016 -Destination SRV-01RODC -PasswordOnly

} 

How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

One thought on “How to Prepopulate Passwords Cache on Read-Only Domain Controller Windows Server 2016

  • May 6, 2018 at 11:19 am
    Permalink

    How to prepolulate all domain users ? Added Domain users in Allowed RODC group .How to force pre-poulate all users and computers

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*